Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
28/04/2024, 18:41
General
-
Target
1099cec3fdcb3e4b1e4c7c2350c146f6f715e25bdecbe02fea6cbdb9fc0cc1ac.exe
-
Size
1.1MB
-
MD5
e9b3ad4220c1429358929ea6f13c3223
-
SHA1
90f1105052ce197fd93fa9228be278d6be1873ac
-
SHA256
1099cec3fdcb3e4b1e4c7c2350c146f6f715e25bdecbe02fea6cbdb9fc0cc1ac
-
SHA512
0e6048f609a4a634e4ade6b0ac4eae94ff08025989bcad7aacd10485a4860190cd492889d70c3083acec25f400203e3bb3d8b885d8e835bfcee54e839c7e3466
-
SSDEEP
24576:yy9UPkRa6jJatWFGggibBSvpYxAyJxj1GuFCmrPzA37:Z6T6datLokvpYxAM1GuAmD
Malware Config
Extracted
amadey
3.80
http://193.3.19.154
-
install_dir
cb7ae701b3
-
install_file
oneetx.exe
-
strings_key
23b27c80db2465a8e1dc15491b69b82f
-
url_paths
/store/games/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect ZGRat V1 6 IoCs
-
Detects Healer an antivirus disabler dropper 34 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 34 IoCs
-
Detects executables packed with ConfuserEx Mod 6 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1099cec3fdcb3e4b1e4c7c2350c146f6f715e25bdecbe02fea6cbdb9fc0cc1ac.exe"C:\Users\Admin\AppData\Local\Temp\1099cec3fdcb3e4b1e4c7c2350c146f6f715e25bdecbe02fea6cbdb9fc0cc1ac.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ke215243.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ke215243.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\go963454.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\go963454.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lb854998.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lb854998.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\172655600.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\172655600.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\225242081.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\225242081.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 10846⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\397865473.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\397865473.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:R" /E7⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\458882322.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\458882322.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1452 -ip 14521⤵
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
993KB
MD58f097502ac1ec512247a72d2d6626b21
SHA108395f12ee4d71b4de7cc5f61fe423dee92e8a8e
SHA2561962a5bafb9ad416884960cb6dc2b8caa9b23014fe19509ba7045c940f2aa9e0
SHA512c406d892faf6618aa99a6ebdf6ea960157d598cda2105e1b6fbd38fcfa750fbe5c82bab3569fbdf484b8b3380a12c1cd8aaf13884160656a6af264d685427de6
-
Filesize
415KB
MD5cd54bb78a5ab4a985cb042d76521f256
SHA1fb6c2607afe8324c00636a2ea055e1c430439382
SHA256cc5ce43c20fc2d2997d06d9a3d250a092401e9f4bcae9988af286bb9cf73ef99
SHA5126f9e3c18622beebf2553c66ad3386cde2670f606a7e854f8cdf0b91dd3c79f6eb0cce46599031860243358ec676fd930e8a1fb3106733d483124d360769d5c17
-
Filesize
609KB
MD5321f036da9686013d531c2e06bee31af
SHA1a63ea9a16be77e13ff10fcfc1fa509130b9b72c4
SHA256d6e80daf1625ad8723a538e40af3f40e45acaf395a72b52e2ae82e9067ea4b1a
SHA51200bd6c1bc9a405e858e9bcfd575443c49e35bbe435997a026ce867ac52516b611e45424bc186422d4f6bba109792c5b352a8dc58dbe4e84000d54ff3d817611a
-
Filesize
204KB
MD5f9b20c19cc1c412b2b77f379fa037ce8
SHA1b8a1a68d57141c5054fc3296a3c6470269a80e7d
SHA256aea3550c0164e16aec74057964431308f3ad1a2551c9081b7d260b1a009d5237
SHA512a64d83109151d59130081d484470fb0960187af6581fdbc3529f850005e09d56985aee9adad5de3db3f57fad28773d1452a59dfe36260f4bff8002d7f6fc1014
-
Filesize
437KB
MD59ca1de4f62ad43bb4ac9561c8308dfc1
SHA17a98bd070aff8881d7fb3a4fd73a4d22772f2e91
SHA2565902f0c790c6949693a130cc83152c67ca0a677eea761bad705cfdb9bbb9c3d4
SHA5129539e51788355d85cff975882cba7f36e517da21dfa66ed6817459a6e8258d0c621b2bc1fec1376da8cd54c2312966d0b805a1ec5f77bf2c676f80a978bbcf96
-
Filesize
175KB
MD5818944cb43f0a027ea987933b5d965e8
SHA1cf99d8da30be79b647fce53d9280fa0a5f6f0e38
SHA256e917d854ea9eca1e9c3c4dac0f7116aa87e62dbe7b482f7b2a4497592e8944d8
SHA51203f2f76bb06308eda3728ca1f191c1c8b78eadda67f129001e8f184d2e7c654351d6ab9a495f8faf5caae47fa4f4e318f5314dcaf2ab6e4c0e9c2f8ee2b7ac1c
-
Filesize
332KB
MD5e1b605298c8dde321eba4e621b43b48a
SHA1e787f354713555143158c0bb1281d1806a5325a6
SHA2568772e25843562cef29c1b6fbd711009271f7f19635406c8592a12107f8798b19
SHA5124fd502c6a150abd6d2a05613b419a2714e1b9e2e186c2f0037c7a2f964d7e7ef63c9ef5dc4ef6e3479e275456896687133726e5698e3bd4fe2c34b9cbcacda17
-
Filesize
72KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
104KB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
96KB
-
Filesize
76KB
-
Filesize
5.6MB
-
Filesize
76KB
-
Filesize
104KB
-
Filesize
232KB
-
Filesize
240KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
240KB
-
Filesize
304KB